copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1155 - [Win][UNIX/Linux][Debian] libav: Execute arbitrary code/commands - Remote with user interaction

Date: 14 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1155
                           libav security update
                               14 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libav
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4609  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2977

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libav check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2977-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 11, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libav
CVE ID         : CVE-2014-4609

Don A. Baley discovered an integer overflow in the lzo compression
handler which could result in the execution of arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 6:0.8.13-1.

For the testing distribution (jessie), this problem has been fixed in
version 6:10.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 6:10.2-1.

We recommend that you upgrade your libav packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTv/SJAAoJEBDCk7bDfE42NzgQAJ0/xpyy6udjIwGiyySc/6EJ
Z4sVczkj0tLqHLLpCmmF2nA3suJxTtxiUfm7Ss0+qNu7X4bBAkmRxHtMuBIz7lNR
JZJqTCR8olcjBfQPBA/jNRQzltzlubWJgPVKQR5zHTzPRW6RCw0Rvx2JMCUGFzXI
H1a8hz8MvJujzVAb3lQML0JuI+AjfMdriQZsRrBDCjP1061GDMUXF8Y3Uorp5LAU
Rm9Mfxz8f1TyU8N+B+JoS0Z8zg+OtfP5avYeaUK3Io5KCkjWZTyjFifxADFaHq1p
Tfc9XoJ/e+AEGDFJ8gm7GFTxUJkUNfEOKPzUiqkGoO3aGNIw1ktJ6qMYBj2T1AIh
TCZ+HHy6xpVi1Zy3f5Updd3MSYYePEI9WXsnPXqlAtZrbhqk7UNB+ResGaPczToX
QhR9GZKCl4yXFb1+MWpq0V9xSYgbgMbV8yq9nlQ3qVGlbq/D8ruZ53bqg2FK2/XV
xdlgvMINJdeRiTpfeO2BFC6J7wxqM8Jny1sXD9Rqwc8DMzojNOXXTlwaPNcPXNYo
ghBhMQKM8UlsK9eQ5GAE14o2TRJHAAvMo2qhTQ066J5ubQaJ2lO+KEUEUDs1FAon
Xmi11naXPLjQdN29ni+PI51S3R8LpMamCpY6luZIYVUbtP0h5qa6WuezSdPeZkn5
6UnRAcK5UEf8mYTPLjGx
=qX0n
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8MpHBLndAQH1ShLAQLxlg//ZmYrcI2lFNUivKoJPTD5CBS3ZD6ldgrY
F2jZZ/aMXex2LQRR3dZMLGodZDkfIZ6IcgO1UjArA4nwH8iq+Sc72GywFXG9Y5xd
HVEuu2K/zEzDAyjVdOBTigEwS+b6gJfjR1l0QDeZI/4Zo1jIi4Of1p4yp5b+pVAe
Akv4U+ntDAe9Xd8H89IDULlDzkY/MLiq6jh00/toFfwY6GhJ+XDrr5IHKfi7607v
AeSg30W8RdumRAm4X6VnfCbSgbGuZLKwXMskJhLISzoIC18lCGHAqTOueA3a7aj8
6UZk2ZucyYW6R0ZOMmV6Zlkgku0y9vT1NEG8eA+9zsAcmjGucoKSXsx4ZsVbtKG+
XmCVi9bwA7GA/oGwb96mChhs9IaDWsyR7BNF/O9NGTsDQFXxneV9sXl4WcIURtFx
j84mM6zrzXp03SOT/bVd1LPGSHE03cQscFK2C4P7ecztfO/kY6Iv5RFz1zfH6jAv
8QipyKjcBZhlpJuyB2lTzmsJLEYMcO7wGV7atynS8GW6f1RoeDdYsCBl9mgPTR9m
dF3eGiTPwUssIJkN0eodjux9BUEAiM5MbJzkQvV0du0vBDiLQp01jLd5cEdlND1Y
b3VpvXsSo3NITxdHjV5xwrmN/rX4mpP52DBSbIDAnGcxMW3FoM+9MCga6ZkX8Bif
hTaiov7htRQ=
=PaKW
-----END PGP SIGNATURE-----